Under the Corporations Act and Fair Work Act, most Australian businesses must retain relevant email records for seven years. While the Taxation Administration Act generally requires a five-year retention period for tax-related records, the seven-year mark remains the safest statutory baseline for avoiding penalties during audits or legal discovery.
The office manager at a mid-sized law firm in Brisbane receives a notice for a trust account audit. The auditor isn’t just looking at the ledger; they want the "contemporaneous correspondence" explaining a specific transfer from October 2021. The partner remembers the email, but the staff member who sent it left in 2023. Their mailbox was deleted to save on Microsoft 365 license costs, and the PST backup on the shared drive is corrupted. What should have been a routine verification becomes a high-stakes compliance failure.
The real compliance requirements in Australia
There is no single "Email Retention Act" in Australia. Instead, retention obligations are spread across several pieces of legislation, depending on the content of the message rather than the format.
Corporations Act 2001 (Section 286): If you operate as a company, you must keep financial records that "correctly record and explain" your transactions and financial position for 7 years. If an email contains an invoice, a quote that was later accepted, or an explanation of a financial adjustment, it is legally a financial record. In an ASIC investigation, "I deleted the email" is rarely an acceptable defence.
Fair Work Act 2009: Employer records—including pay slips, hours worked, and leave applications—must be kept for 7 years. In the era of hybrid work, leave approvals and performance discussions often happen exclusively via email. If a former employee raises a dispute regarding underpayment or unfair dismissal from six years ago, the burden of proof rests on the employer's ability to produce those records.
Taxation Administration Act 1953: The ATO requires you to keep records that explain your tax affairs for 5 years from the date you lodge your return. However, if the ATO suspects fraud or evasion, there is no time limit on how far back they can audit. Because the 5-year tax rule conflicts with the 7-year Corporations Act rule, most professional advisers recommend defaulting to 7 years across the board.
Privacy Act 1988 (APP 11.2): This creates a "compliance sandwich." While the laws above require you to keep data, the Privacy Act requires you to destroy or de-identify personal information once it is no longer needed for a legal purpose. This means you shouldn't just keep everything forever; you need a process to purge data once the 7-year statutory period expires to minimize your data breach exposure.
What most small firms actually do
In most Australian professional services firms, "email archiving" is not a strategy; it’s a series of accidents. Common approaches include:
- The "Infinite Inbox": Never deleting anything and hoping the search bar works. This fails when staff leave or mailboxes hit storage limits.
- Manual PST Backups: Exporting a staff member's mailbox to a file when they resign. These files are notoriously fragile, easily lost, and impossible to search across the whole firm.
- "It's in the Cloud": Assuming Microsoft 365 or Google Workspace is an archive. It isn't. Without specific "Litigation Hold" settings (which usually require expensive Enterprise licenses), deleted emails are purged permanently after 14 to 30 days.
These workarounds usually break down exactly when they are needed most: during an active legal dispute or a surprise regulatory audit where "missing data" is interpreted as "guilty conscience."
What good looks like: Audit-ready archiving
A compliant Australian business shouldn't rely on staff remembering to "Save to PDF" every important email. An audit-ready archive has four specific characteristics:
1. Continuous Capture: The system should capture every email the moment it is sent or received, before a user has the chance to delete it. This is often called "journaling."
2. Tamper-Evident Storage: To be useful in court, a record must be provably unchanged. A PDF saved to a shared drive can be edited; a cryptographically signed archive entry cannot.
3. Full Metadata Preservation: Compliance isn't just about the body of the email. It's about the headers—the proof of who sent it, which server it passed through, and exactly when it was delivered.
4. Rapid Retrieval: If a regulator gives you 48 hours to produce all correspondence regarding a specific client from 2020, you cannot spend that time manually opening 50 different PST files. You need a centralized search that works in seconds.
For firms that don't want to manage complex enterprise infrastructure, tools like AutoArchive Mail provide this level of compliance automatically, acting as a "set and forget" safety net for the firm's entire mail flow.
The practical path forward
If you suspect your current email retention is "compliance by luck," take these steps in order:
- Audit your "Leaver" process: What happens to the emails of the last three people who left the firm? If the answer is "we deleted the account," you likely have a compliance gap.
- Check your license levels: If you use Microsoft 365 Business Standard or Basic, you do not have built-in litigation hold or long-term archiving. You are relying on the 30-day recycle bin.
- Establish a 7-year policy: Formally document that the firm retains business correspondence for 7 years. This provides a clear standard for staff and shows regulators you are acting with "reasonable care."
- Automate the capture: Move away from manual filing. Compliance should be a background process, not a daily chore for your team.
Honest limitation
This article covers general business and tax retention rules in Australia. It does not cover specialized requirements for medical records (which can extend to 25 years or more for minors) or specific "Class Action" orders that may require indefinite retention of certain documents. If your firm handles high-risk litigation or specialized medical data, seek specific legal counsel on your retention periods.
Ready to automate your email archiving?
AutoArchive Mail captures every email automatically — incoming and outgoing — with clean filenames and full .MSG preservation. 14-day free trial, no credit card required.
Start Free Trial See How It Works